Did you miss our background on the California Consumer Privacy Act? Read Part I here.
Details of CCPA
The California Consumer Privacy Act, (“CCPA”) was signed into law on June 28, 2018 and will go into effect on January 1, 2020. CCPA will impose significant privacy obligations on any businesses that handle data related to any California residents, including employees, customers and individuals associated with commercial customers (or “consumers”).
CCPA provides an expansive definition of personal information:
“that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
CCPA will apply to companies, both inside and outside of the California, that meet any of the following:
- generate over $25 million in annual gross revenues;
- earn half of their annual gross revenues from selling personal information;
- or handle, buy, share or sell personal information belonging to at least 50,000 California residents.
Here are the basic rights provided to consumers under CCPA:
- To know about all data a business collects about them.
Consumers may ask a company to disclose information about: their personal data that has been collected; any third-party entities that have received their personal data; sources where their personal data was found; purposes for which the data was collected. Businesses must provide the information to within 45 days and at no additional cost to the consumer.
- To opt out of the sale of their information.
Consumers can choose to opt out of having their personal information sold to third-parties and businesses must inform consumers of this option before any of their data can be sold.
- To delete their data.
Consumers can request that their personal information be deleted. If a consumer makes a request to delete the deletion must be made unless the business can show a legal exception, e.g. to complete ongoing business transactions or protect against fraud or other unlawful behavior.
- To be free from discrimination.
Consumers cannot be discriminated against if they choose to exercise their rights under the act. For example, a business can’t charge a consumer additional fees services if the consumer exercised rights under CCPA.
- The right to sue.
CCPA allows for consumers to pursue legal action against companies who violate the act. This includes legal action if data has been copied, transferred, stolen, disclosed or accessed without the consumer’s prior consent. Under CCPA, a consumer can recover between $100 and $750 per incident, depending on the severity of the violation. Additionally, intentional violations of CCPA may result in $7500 fines. Consumer’s must allow the company 30 days to address the violation before filing an action. Companies should prepare for CCPA consumer litigation
CCPA will be a major compliance challenge for most companies and will prove expensive and difficult. Businesses will have time between now and January 2020 to work with the State of California to amend CCPA and address concerns relating provisions they find most troublesome from a compliance perspective. They should also be preparing for the burden of complying with this very expansive law.
In Data Privacy: Privacy by Design Part III, we will examine the implications of CCPA and the future of data privacy. Stay tuned, the third and final part of the series will be published October 8, 2018.
Geoff Mohun is General Counsel and the Chief Compliance Officer for iWorkGlobal. He has a Juris Doctorate from John F. Kennedy School of Law and is a graduate of California State University, Chico. He was admitted to the State Bar of California in 1997. Connect with Geoff on LinkedIn.